tcpdump mailing list archives
Re: why doesn't tcpdump drop privileges?
From: Jefferson Ogata <Jefferson.Ogata () noaa gov>
Date: Tue, 20 Jan 2004 19:20:13 -0500
Andrew Pimlott wrote:
Every once in a while there is a security alert about tcpdump being hackable through one of the many protocol analyzers. Couldn't these be prevented simply by unconditionally dropping privileges as soon as the interface is opened?
No, they couldn't. You'll still end up executing arbitrary code, and a user shell is almost as bad as a root shell.
+ /* Attempt to drop back to nobody. This is safest. */
+ nobody = getpwnam("nobody");
+ if (nobody && nobody->pw_uid)
+ setuid(nobody->pw_uid);
+ /* If there is no nobody (?!), at least drop back to original uid */
+ else
+ setuid(getuid());
Your patch does not set euid. The user can trivially setuid back to superuser. You also aren't setting gid or egid.
Why do you think "nobody" is "safest"? Capabilities are a better approach to this particular problem, since they make no assumption about what uid to setuid to, and instead can grant the capture capability to a regular user.
The real solution to the periodic dissector vulnerabilities is to devise an abstract language and virtual machine which is provably safe for doing protocol dissection. If this were done correctly, the virtual machine would be BPF (or something better) and the same VM, compiler, and optimizer would be used for protocol analysis as for filtering. And with a tiny bit more cleverness, the dissector could work in reverse to construct the protocol as well. The existing BPF bytecode would be able to do the vast majority of protocol dissection, if only the compiler were a bit more generic. A successor to BPF with a lot more registers and a mechanism for storing into a non-register data structure would be ideal.
-- Jefferson Ogata <Jefferson.Ogata () noaa gov> NOAA Computer Incident Response Team (N-CIRT) <ncirt () noaa gov> - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- why doesn't tcpdump drop privileges? Andrew Pimlott (Jan 20)
- Re: why doesn't tcpdump drop privileges? Jefferson Ogata (Jan 20)
- Re: why doesn't tcpdump drop privileges? Andrew Pimlott (Jan 20)
- Re: why doesn't tcpdump drop privileges? Jefferson Ogata (Jan 20)
- Re: why doesn't tcpdump drop privileges? Andrew Pimlott (Jan 21)
- Re: why doesn't tcpdump drop privileges? Jefferson Ogata (Jan 21)
- Re: why doesn't tcpdump drop privileges? Andrew Pimlott (Jan 23)
- Re: why doesn't tcpdump drop privileges? Andrew Pimlott (Jan 20)
- Re: why doesn't tcpdump drop privileges? Ryan Mooney (Jan 21)
- Re: why doesn't tcpdump drop privileges? Jefferson Ogata (Jan 21)
- Re: why doesn't tcpdump drop privileges? Jefferson Ogata (Jan 20)
- Re: why doesn't tcpdump drop privileges? Andrew Pimlott (Jan 20)
- Re: why doesn't tcpdump drop privileges? Andrew Pimlott (Jan 20)